Revision tags: OpenSSL-engine-0_9_6j, OpenSSL_0_9_7b, OpenSSL_0_9_6j, OpenSSL-engine-0_9_6i, OpenSSL_0_9_6i, OpenSSL_0_9_7a |
|
#
4879ec7b |
| 15-Feb-2003 |
Geoff Thorpe |
Session cache implementations shouldn't have to access SSL_SESSION elements directly, so this missing functionality is required. PR: 276
|
Revision tags: OpenSSL_0_9_7, OpenSSL_0_9_7-beta6, STATE_after_zlib, STATE_before_zlib, OpenSSL_0_9_7-beta5, OpenSSL-engine-0_9_6h, OpenSSL_0_9_6h |
|
#
4579924b |
| 28-Nov-2002 |
Richard Levitte |
Cleanse memory using the new OPENSSL_cleanse() function. I've covered all the memset()s I felt safe modifying, but may have missed some.
|
Revision tags: OpenSSL_0_9_7-beta4 |
|
#
54a656ef |
| 13-Nov-2002 |
Ben Laurie |
Security fixes brought forward from 0.9.7.
|
#
e0db2eed |
| 29-Oct-2002 |
Geoff Thorpe |
Correct and enhance the behaviour of "internal" session caching as it relates to SSL_CTX flags and the use of "external" session caching. The existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
Correct and enhance the behaviour of "internal" session caching as it relates to SSL_CTX flags and the use of "external" session caching. The existing flag, "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP" remains but is supplemented with a complimentary flag, "SSL_SESS_CACHE_NO_INTERNAL_STORE". The bitwise OR of the two flags is also defined as "SSL_SESS_CACHE_NO_INTERNAL" and is the flag that should be used by most applications wanting to implement session caching *entirely* by its own provided callbacks. As the documented behaviour contradicted actual behaviour up until recently, and since that point behaviour has itself been inconsistent anyway, this change should not introduce any compatibility problems. I've adjusted the relevant documentation to elaborate about how this works. Kudos to "Nadav Har'El" <nyh@math.technion.ac.il> for diagnosing these anomalies and testing this patch for correctness. PR: 311
show more ...
|
Revision tags: OpenSSL-engine-0_9_6g, OpenSSL_0_9_6g, OpenSSL-engine-0_9_6f, OpenSSL_0_9_6f |
|
#
5574e0ed |
| 02-Aug-2002 |
Bodo Möller |
get rid of OpenSSLDie
|
#
c046fffa |
| 30-Jul-2002 |
Lutz Jänicke |
OpenSSL Security Advisory [30 July 2002] Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force
OpenSSL Security Advisory [30 July 2002] Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537.
show more ...
|
Revision tags: OpenSSL_0_9_7-beta3, OpenSSL-engine-0_9_6e, OpenSSL_0_9_6e, OpenSSL_0_9_7-beta2, OpenSSL_0_9_7-beta1, AFTER_COMPAQ_PATCH, BEFORE_COMPAQ_PATCH, OpenSSL-engine-0_9_6d, OpenSSL_0_9_6d, OpenSSL-engine-0_9_6d-beta1, OpenSSL_0_9_6d-beta1, OpenSSL-engine-0_9_6c |
|
#
acfe628b |
| 10-Feb-2002 |
Lutz Jänicke |
Make removal from session cache more robust.
|
Revision tags: OpenSSL_0_9_6c |
|
#
79aa04ef |
| 01-Sep-2001 |
Geoff Thorpe |
Make the necessary changes to work with the recent "ex_data" overhaul. See the commit log message for that for more information. NB: X509_STORE_CTX's use of "ex_data" support was actuall
Make the necessary changes to work with the recent "ex_data" overhaul. See the commit log message for that for more information. NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented (initialisation by "memset" won't/can't/doesn't work). This fixes that but requires that X509_STORE_CTX_init() be able to handle errors - so its prototype has been changed to return 'int' rather than 'void'. All uses of that function throughout the source code have been tracked down and adjusted.
show more ...
|
#
b7727ee6 |
| 12-Aug-2001 |
Geoff Thorpe |
The indexes returned by ***_get_ex_new_index() functions are used when setting stack (actually, array) values in ex_data. So only increment the global counters if the underlying CRYPTO_get_ex
The indexes returned by ***_get_ex_new_index() functions are used when setting stack (actually, array) values in ex_data. So only increment the global counters if the underlying CRYPTO_get_ex_new_index() call succeeds. This change doesn't make "ex_data" right (see the comment at the head of ex_data.c to know why), but at least makes the source code marginally less frustrating.
show more ...
|
#
c2a3358b |
| 31-Jul-2001 |
Richard Levitte |
Whoops, my fault, a backslash got converted to a slash...
|
#
882e8912 |
| 31-Jul-2001 |
Richard Levitte |
More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu> His comments are: First, it corrects a problem introduced in the last patch where the kssl_map_enc() would intent
More Kerberos SSL changes from Jeffrey Altman <jaltman@columbia.edu> His comments are: First, it corrects a problem introduced in the last patch where the kssl_map_enc() would intentionally return NULL for valid ENCTYPE values. This was done to prevent verification of the kerberos 5 authenticator from being performed when Derived Key ciphers were in use. Unfortunately, the authenticator verification routine was not the only place that function was used. And it caused core dumps. Second, it attempt to add to SSL_SESSION the Kerberos 5 Client Principal Name.
show more ...
|
Revision tags: OpenSSL-engine-0_9_6b, OpenSSL_0_9_6b, OpenSSL_0_9_6a, OpenSSL-engine-0_9_6a, OpenSSL-engine-0_9_6a-beta3, OpenSSL_0_9_6a-beta3, OpenSSL-engine-0_9_6a-beta2, OpenSSL_0_9_6a-beta2, OpenSSL-engine-0_9_6a-beta1, OpenSSL_0_9_6a-beta1 |
|
#
f85c9904 |
| 23-Feb-2001 |
Geoff Thorpe |
Fix an oversight - when checking a potential session ID for conflicts with an SSL_CTX's session cache, it is necessary to compare the ssl_version at the same time (a conflict is defined, cour
Fix an oversight - when checking a potential session ID for conflicts with an SSL_CTX's session cache, it is necessary to compare the ssl_version at the same time (a conflict is defined, courtesy of SSL_SESSION_cmp(), as a matching id/id_length pair and a matching ssl_version). However, the SSL_SESSION that will result from the current negotiation does not necessarily have the same ssl version as the "SSL_METHOD" in use by the SSL_CTX - part of the work in a handshake is to agree on an ssl version! This is fixed by having the check function accept an SSL pointer rather than the SSL_CTX it belongs to. [Thanks to Lutz for illuminating the full extent of my stupidity]
show more ...
|
#
dc644fe2 |
| 21-Feb-2001 |
Geoff Thorpe |
This change allows a callback to be used to override the generation of SSL/TLS session IDs in a server. According to RFC2246, the session ID is an arbitrary value chosen by the server. It can
This change allows a callback to be used to override the generation of SSL/TLS session IDs in a server. According to RFC2246, the session ID is an arbitrary value chosen by the server. It can be useful to have some control over this "arbitrary value" so as to choose it in ways that can aid in things like external session caching and balancing (eg. clustering). The default session ID generation is to fill the ID with random data. The callback used by default is built in to ssl_sess.c, but registering a callback in an SSL_CTX or in a particular SSL overrides this. BTW: SSL callbacks will override SSL_CTX callbacks, and a new SSL structure inherits any callback set in its 'parent' SSL_CTX. The header comments describe how this mechanism ticks, and source code comments describe (hopefully) why it ticks the way it does. Man pages are on the way ... [NB: Lutz was also hacking away and helping me to figure out how best to do this.]
show more ...
|
#
3c914840 |
| 09-Jan-2001 |
Geoff Thorpe |
Move all the existing function pointer casts associated with LHASH's two "doall" functions to using type-safe wrappers. As and where required, this can be replaced by redeclaring the underlyi
Move all the existing function pointer casts associated with LHASH's two "doall" functions to using type-safe wrappers. As and where required, this can be replaced by redeclaring the underlying callbacks to use the underlying "void"-based prototypes (eg. if performance suffers from an extra level of function invocation).
show more ...
|
#
385d8138 |
| 01-Dec-2000 |
Geoff Thorpe |
First step in tidying up the LHASH code. The callback prototypes (and casts) used in the lhash code are about as horrible and evil as they can be. For starters, the callback prototypes contai
First step in tidying up the LHASH code. The callback prototypes (and casts) used in the lhash code are about as horrible and evil as they can be. For starters, the callback prototypes contain empty parameter lists. Yuck. This first change defines clearer prototypes - including "typedef"'d function pointer types to use as "hash" and "compare" callbacks, as well as the callbacks passed to the lh_doall and lh_doall_arg iteration functions. Now at least more explicit (and clear) casting is required in all of the dependant code - and that should be included in this commit. The next step will be to hunt down and obliterate some of the function pointer casting being used when it's not necessary - a particularly evil variant exists in the implementation of lh_doall.
show more ...
|
#
0dd2254d |
| 29-Nov-2000 |
Lutz Jänicke |
Store verify_result with sessions to avoid potential security hole. For the server side this was already done one year ago :-(
|
Revision tags: rsaref, BEFORE_engine, OpenSSL_0_9_6-beta2, OpenSSL_0_9_6-beta1, OpenSSL_0_9_6, OpenSSL-engine-0_9_6, OpenSSL-engine-0_9_6-beta3, OpenSSL_0_9_6-beta3, OpenSSL-engine-0_9_6-beta2, OpenSSL-engine-0_9_6-beta1 |
|
#
26a3a48d |
| 01-Jun-2000 |
Richard Levitte |
There have been a number of complaints from a number of sources that names like Malloc, Realloc and especially Free conflict with already existing names on some operating systems or other pac
There have been a number of complaints from a number of sources that names like Malloc, Realloc and especially Free conflict with already existing names on some operating systems or other packages. That is reason enough to change the names of the OpenSSL memory allocation macros to something that has a better chance of being unique, like prepending them with OPENSSL_. This change includes all the name changes needed throughout all C files.
show more ...
|
Revision tags: OpenSSL_0_9_5, OpenSSL_0_9_5a, OpenSSL_0_9_5a-beta2, OpenSSL_0_9_5a-beta1, OpenSSL_0_9_5beta2, OpenSSL_0_9_5beta1 |
|
#
9d1a01be |
| 30-Jan-2000 |
Ulf Möller |
Source code cleanups: Use void * rather than char * in lhash, eliminate some of the -Wcast-qual warnings (debug-ben-strict target)
|
#
52732b38 |
| 26-Jan-2000 |
Bodo Möller |
Some comments added, and slight code clean-ups.
|
#
dd9d233e |
| 23-Jan-2000 |
Dr. Stephen Henson |
Tidy up CRYPTO_EX_DATA structures.
|
#
e7f97e2d |
| 21-Jan-2000 |
Ulf Möller |
Check RAND_bytes() return value or use RAND_pseudo_bytes().
|
#
45fd4dbb |
| 29-Dec-1999 |
Bodo Möller |
Fix SSL_CTX_add_session: When two SSL_SESSIONs have the same ID, they can sometimes be different memory structures.
|
#
1088e27c |
| 17-Nov-1999 |
Bodo Möller |
Restore traditional SSL_get_session behaviour so that s_client and s_server don't leak tons of memory.
|
#
b1fe6ca1 |
| 16-Nov-1999 |
Bodo Möller |
Store verify_result with sessions to avoid potential security hole.
|
#
b7cfcfb7 |
| 15-Nov-1999 |
Mark J. Cox |
This corrects the reference count handling in SSL_get_session. Previously, the returned SSL_SESSION didn't have its reference count incremented so the SSL_SESSION could be freed at any time c
This corrects the reference count handling in SSL_get_session. Previously, the returned SSL_SESSION didn't have its reference count incremented so the SSL_SESSION could be freed at any time causing seg-faults if the pointer was subsequently used. Code that uses SSL_get_session must now make a corresponding SSL_SESSION_free() call when it is done to avoid memory leaks (or blocked up session caches). Submitted By: Geoff Thorpe <geoff@eu.c2.net>
show more ...
|